[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Thu Aug 18 00:19:47 UTC 2011


Yes but the question is how you ask for authorization.

If there is only one scope then you can't ask for a subset.  At least Facebook dosen't want to give email by default.  

I suspect that you are not arguing agains privacy, or consent.  So perhaps I am not understanding the question.

Are you asking for a single scope called openid that provides a id_token for the session info and an access token scoped for all of the users available attributes?

The current proposal is 4 scopes so that a RP just wanting to do SSO doesn't need to ask for permission to get the users name.

openID = User ID
email  = email
address = address
profile = all remaining default attributes.

I think for interoperability we have to say something about the scopes for the user-info endpoint.

John
On 2011-08-17, at 1:28 PM, Anthony Nadalin wrote:

> So why would you have to give back all the information? You get back all or any portion that you are authorized to access
>  
> From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
> Sent: Tuesday, August 16, 2011 4:41 PM
> To: Anthony Nadalin
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Lite Draft 8
>  
> From a privacy point of view giving all of the information in the user-info endpoint all the time with only a single scope is not ideal.  
> Mike wanted to do that but have additional negative scope so that you could say you don't want things, but have the default be the common case.  
> This still requires defining multiple scopes.
>  
> We could just make openid the scope for the id_token.  However that makes interoperability for the user-info endpoint worse than AX if that is possible.
>  
> I wouldn't want to get rid of nonce or state for security reasons.  We could make those required for the profile and ditch prompt and display.
>  
> Other opinions?
>  
> On 2011-08-16, at 7:03 PM, Anthony Nadalin wrote:
> 
> 
> 1.       3.1 Why is there any scope beyond “openid”, is this spec going to be continually updated whenever a new scope is added/changed, seems like a bad idea to have additional scopes in the spec
> 2.       3.2.1 Why have optional parameters, this should be basic (code and go)
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/c5c3755d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/c5c3755d/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list